CVE-2022-0651

Name of the Vulnerable Software and Affected Versions WP Statistics versions up to and including 13.1.5

Description The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current page type parameter found in the ~/includes/class-wp-statistics-hits.php file. This allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information.

Recommendations For versions up to and including 13.1.5, update to a version later than 13.1.5 to resolve the issue. As a temporary workaround, consider restricting access to the ~/includes/class-wp-statistics-hits.php file to minimize the risk of exploitation. Avoid using the current page type parameter in the affected API endpoint until the issue is resolved.